On 09/11/2013 04:56 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Describe some of the issues to be aware of when configuring LXC
guests with security isolation as a goal.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
docs/drvlxc.html.in | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 103 insertions(+)
+
+<p>
+Sharing the host filesystem tree, also allows applications to access
+UNIX domains sockets associated with the host OS, which are in the
+filesystem namespaces. It should be noted that a number of init
+systems including at least <code>systemd</code> and
<code>upstart</code>
+have UNIX domain socket which are used to control their operation.
+Thus, if the directory/filesystem holding their UNIX domain socket is
+exposed to the container, it will be possible for a user in the container
+to invoke operations on the init service in the same way it could if
+outside the container. This also applies to other applications in the
+host which use UNIX domain sockets in the filesystem, such as DBus,
+Libvirtd, and many more. If this is not desired, then applications
+should either specify the UID/GID mapping in the configuration to
+enable user namespaces & thus block access to the UNIX domain socket
s/&/and/
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org